Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Genetic method to detect the presence of any virtual machine
From: "Bipin Gautam" <gautam.bipin () gmail com>
Date: Thu, 19 Oct 2006 23:03:15 +0545

Microsoft Virtual Machine & VMWARE information disclosure Vulnerability

Note: Though not limited to these two products, this trick can be used
as  an genetic method to detect the presence of any virtual machine
regardless of the OS used at this date. But (from a friendly source) i
came to know these all represent design decisions by the software
makers. Isnt THAT RIDICULAS!!!?

Tested on: Microsoft Virtual PC 5.3.582.27
           VMware Workstation 4.5.2 build-8848

Virtual Machines are very often used in new virus/trojan analysis,
honeypot, IDS etc

But an attacker or malicious code can easily figure out if its inside
a  Virtual Machine or a Real System by quering various hardware
parameters &  features from the OS.

If the virtual machine responds back too much, too little, UNKNOWN or
suspecious hardware information on ANY SYSTEM HARDWARE (virtual) it
can  always be clearely guessed the user/code is inside the virtual
machine.
Moreover the emulated BIOS in the virtual Machine are almost same for
the  version release which can be detected form the virtual OS.

Below are my Findings (which is obviously not a complete list but is
enough to draw conclusions for a software/person that it is inside a
virtual machine.

I was surprised to get even the information of the PRIVATE LICENSED
PRODUCT KEY while i  was quering query Motherboard System Information
inside the virtual  machine.

So here are the data:
System Query outputs inside virtual machine that will clearely
demonstrate the presence of Virtual Machine which are obviously uniq &
 fake & doesnt resemble the real hardware information.
-----------------------------------------------------------------------


(Query Output inside Microsoft Virtual Machine)

Hdd Model: Virtual HD
Firmware version : 1. 1
Serial number    :
Buffer size      : 64 KB
Standard         :


When queried for the informations;
Ram Memory speed, Manafacturer, Serial No. Voltage CPU clock ratio &
Max  allowed frequency -------> The information is unknown to the
system

Motherboard:
Company Brnad Name: Vmware, Inc VMware

Video Chipset & Video Memory information

System Manufacturer : VMware, Inc
Product Name: VMware Virtual Platform
Product Version
------------------------------------------------------------------------

( Output inside VMWARE )

HDD Model: VMware Virtual IDE Hard Drive
Firmware version : 00000001
Serial number    : 00000000000000000001
Buffer size      : 64 KB
Standard         :

Company Brnad Name: Microsoft Corporation Virtual Machine

When queried for the informations;
CPU clock ratio & Max allowed frequency not displayed

Motherboard Modal: Microsoft Corporation Virtual Machine

The L1, L2, L3 catche size information unknown

The device name for hdd & CD were Virtual HD, Virtual CD

------------------------------------------------------------------------
And for ATA security mode & other ATA features (in both virtual machines)


S.M.A.R.T                    : no
48-bit Address               : no
Read Look-Ahead              : no
Write Cache                  : no
Host Protected Area          : no
Device Configuration Overlay : no
Automatic Acoustic Management: no
Power Management             : no
Advanced Power Management    : no
Power-up in Standby          : no
Security Mode                : no
Firmware Upgradable          : no

-----------------------------------------------------------------------

Quering just few of the above mentioned information from inside the
virtual machine can IMMIDIATELY PROVE the presense of virtual machine,
 not the actual system.

 A virus/worm MAY (can?) effectively bypass detection while being
executed/detected in a sandbox if the same principle is applied in the
coding/execution cycle if it by doing a actual hardware detect. (
could you please test the principle with NORMAN sandbox (& similar
sandbox technology which is based on behavior detection) as its
license clauses dont fit me as a tester. (encrypt a known virus/worm
with a key file... with the condition below using hardware detect on
any of the above parameters & PLEASEEEEEE let us know about the
results over here)

say,


if sandbox_detected(say_hello_world);
else
start_code_decryption();

best regards,
-bipin
---
************************************************************************
http://groups.google.com/group/AntiForensics
 -Where you will learn to PROTECT your DIGITAL PRIVECY.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]